<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Invalidate token API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-invalidate-token.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-invalidate-token.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-invalidate-token.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-invalidate-token.html" rel="nofollow" target="_blank">../en/security-api-invalidate-token.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">Invalidate token API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-invalidate-api-key.html">« Invalidate API key API</a>
</span>
<span class="next">
<a href="security-api-oidc-prepare-authentication.html">OpenID Connect Prepare Authentication API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-invalidate-token"></a>Invalidate token API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>Invalidates one or more access tokens or refresh tokens.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-invalidate-token-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">DELETE /_security/oauth2/token</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-invalidate-token-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The access tokens returned by the <a class="xref" href="security-api-get-token.html" title="Get token API">get token API</a> have a
finite period of time for which they are valid and after that time period, they
can no longer be used. That time period is defined by the
<code class="literal">xpack.security.authc.token.timeout</code> setting. For more information, see
<a class="xref" href="security-settings.html#token-service-settings" title="Token service settings">Token service settings</a>.</p>
<p>The refresh tokens returned by the <a class="xref" href="security-api-get-token.html" title="Get token API">get token API</a> are
only valid for 24 hours. They can also be used exactly once.</p>
<p>If you want to invalidate one or more access or refresh tokens immediately, use
this invalidate token API.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-invalidate-token-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following parameters can be specified in the body of a DELETE request and
pertain to invalidating tokens:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">token</code>
</span>
</dt>
<dd>
(Optional, string) An access token. This parameter cannot be used any of
<code class="literal">refresh_token</code>, <code class="literal">realm_name</code> or <code class="literal">username</code> are used.
</dd>
<dt>
<span class="term">
<code class="literal">refresh_token</code>
</span>
</dt>
<dd>
(Optional, string) A refresh token. This parameter cannot be used any of
<code class="literal">refresh_token</code>, <code class="literal">realm_name</code> or <code class="literal">username</code> are used.
</dd>
<dt>
<span class="term">
<code class="literal">realm_name</code>
</span>
</dt>
<dd>
(Optional, string) The name of an authentication realm. This parameter cannot be
used with either <code class="literal">refresh_token</code> or <code class="literal">token</code>.
</dd>
<dt>
<span class="term">
<code class="literal">username</code>
</span>
</dt>
<dd>
(Optional, string) The username of a user. This parameter cannot be used with
either <code class="literal">refresh_token</code> or <code class="literal">token</code>
</dd>
</dl>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>While all parameters are optional, at least one of them is required. More
specifically, either one of <code class="literal">token</code> or <code class="literal">refresh_token</code> parameters is required.
If none of these two are specified, then <code class="literal">realm_name</code> and/or <code class="literal">username</code> need to
be specified.</p>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-invalidate-token-response-body"></a>Response body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>A successful call returns a JSON structure that contains the number of tokens
that were invalidated, the number of tokens that had already been invalidated,
and potentially a list of errors encountered while invalidating specific tokens.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-invalidate-token-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/invalidate-tokens.asciidoc">edit</a>
</h3>
</div></div></div>
<p>For example, if you create a token using the <code class="literal">client_credentials</code> grant type as
follows:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oauth2/token
{
  "grant_type" : "client_credentials"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2117.console"></div>
<p>The get token API returns the following information about the access token:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200
}</pre>
</div>
<p>This access token can now be immediately invalidated, as shown in the following
example:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">DELETE /_security/oauth2/token
{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ=="
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2118.console"></div>
<p>If you used the <code class="literal">password</code> grant type to obtain a token for a user, the response
might also contain a refresh token. For example:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/oauth2/token
{
  "grant_type" : "password",
  "username" : "test_admin",
  "password" : "x-pack-test-password"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2119.console"></div>
<p>The get token API returns the following information:</p>
<div class="pre_wrapper lang-console-result">
<pre class="programlisting prettyprint lang-console-result">{
  "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "type" : "Bearer",
  "expires_in" : 1200,
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
<p>The refresh token can now also be immediately invalidated as shown
in the following example:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">DELETE /_security/oauth2/token
{
  "refresh_token" : "vLBPvmAB6KvwvJZr27cS"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2120.console"></div>
<p>The following example invalidates all access tokens and refresh tokens for the
<code class="literal">saml1</code> realm immediately:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">DELETE /_security/oauth2/token
{
  "realm_name" : "saml1"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2121.console"></div>
<p>The following example invalidates all access tokens and refresh tokens for the
user <code class="literal">myuser</code> in all realms immediately:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">DELETE /_security/oauth2/token
{
  "username" : "myuser"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2122.console"></div>
<p>Finally, the following example invalidates all access tokens and refresh tokens
for the user <code class="literal">myuser</code> in the <code class="literal">saml1</code> realm immediately:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">DELETE /_security/oauth2/token
{
  "username" : "myuser",
  "realm_name" : "saml1"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/2123.console"></div>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "invalidated_tokens":9, <a id="CO661-1"></a><i class="conum" data-value="1"></i>
  "previously_invalidated_tokens":15, <a id="CO661-2"></a><i class="conum" data-value="2"></i>
  "error_count":2, <a id="CO661-3"></a><i class="conum" data-value="3"></i>
  "error_details":[ <a id="CO661-4"></a><i class="conum" data-value="4"></i>
    {
      "type":"exception",
      "reason":"Elasticsearch exception [type=exception, reason=foo]",
      "caused_by":{
        "type":"exception",
        "reason":"Elasticsearch exception [type=illegal_argument_exception, reason=bar]"
      }
    },
    {
      "type":"exception",
      "reason":"Elasticsearch exception [type=exception, reason=boo]",
      "caused_by":{
        "type":"exception",
        "reason":"Elasticsearch exception [type=illegal_argument_exception, reason=far]"
      }
    }
  ]
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO661-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The number of the tokens that were invalidated as part of this request.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO661-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The number of tokens that were already invalidated.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO661-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The number of errors that were encountered when invalidating the tokens.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO661-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>Details about these errors. This field is not present in the response when
<code class="literal">error_count</code> is 0.</p>
</td>
</tr>
</table>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-invalidate-api-key.html">« Invalidate API key API</a>
</span>
<span class="next">
<a href="security-api-oidc-prepare-authentication.html">OpenID Connect Prepare Authentication API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>